IBM Patches BIND and OpenSSL Flaws in IBM i

March 18, 2015
Alex Woodie

IBM has patched several security vulnerabilities in the IBM i OS recently, including some lingering problems with OpenSSL, as well as new ISC BIND Delegation Handling vulnerability. The vulnerabilities affect multiple releases of the IBM i OS, and could enable an attacker to successfully crash impacted servers, so go get your PTFs applied as soon as possible.

The more critical vulnerabilities are related to the ISC BIND Delegation Handling vulnerabilities, which impact the Berkeley Internet Name Domain (BIND) software, specifically the Domain Name Service (DNS). Two BIND-related flaws were discovered in December 2014, according to the Internet Systems Consortium, which oversees the BIND and DNS standards and operates one of the Internet’s 13 DNS root servers.

The first flaw, known as CVE-2014 8500, could allow an attacker to exploit an oversight in BIND version 9 that causes BIND to issue an unlimited number of queries, which can lead to resource exhaustion and a crash. ISC gave CVE-2014-8500 a severity rating of “critical,” while the National Institutes of Standards and Technology gave it a 7.8, on the Common Vulnerability Scoring System, owing to the ease at which an attacker can exploit the vulnerability.

A second set of BIND security flaws, which are collectively known as CVE-2014-8680, affects the GeoIP features of BIND version 9.10, and can also lead to DoS attacks on affected servers. The NIST gives these flaws a CVSS score of 5.4, as they are not nearly as exploitable.

The first BIND flaw, CVE-2014-8500, impacts i5/OS V5R4 through IBM i 7.2. IBM has issued three PTFs to patch the problem in IBM i, including SI55895 for IBM i 6.1, SI55748 for IBM i 7.1, and SI55866 for IBM i 7.2, IBM says in its security advisory. V5R4 will not be patched, as it is no longer supported by IBM.

Meanwhile, IBM patched a slew of new OpenSSL flaws that were discovered in January, including:

CVE-2014-3569, the “ssl23_get_client_hello denial of service” vulnerability, which has a CVSS rating of 5

CVE-2014-3570, the Bignum unspecified vulnerability, which has a CVSS rating of 2.6

CVE-2014-3571, the DTLS denial of service vulnerability, which has a CVSS rating of 5

CVE-2014-3572, the ECDH weak security flaw, which has a CVSS rating of 1.2

CVE-2014-8275, the fingerprints security bypass vulnerability, which has a CVSS rating of 2.1

CVE-2015-0204, the ssl3_get_key_exchange RSA-to-EXPORT_RSA downgrade” vulnerability, which has a CVSS score of 4.3

CVE-2015-0205, the DH certificate security bypass, which has a CVSS score of 2.1;

and CVE-2015-0206, the dtls1_buffer_record denial of service vulnerability, which carries a CVSS rating of 5

These flaws impact every release of the OS from i5/OS V5R3 through IBM i 7.2, according to IBM’s PSIRT blog. However, only IBM i 6.1 through 7.2 have been patched, with PTFs SI56063 (for IBM i 6.1), SI55950 (for IBM i 7.1), and SI55951 (for IBM i 7.2); the old releases of i5/OS will not be patched.

The new batch of OpenSSL patches are not nearly as bad as the Heartbleed flaw that led millions of people to change their passwords last April, and which impacted IBM i, Power Systems firmware, and applications. But it’s still a potent reminder about the potential pitfalls that open source software can bring, and the vigilance that all IBM i shops must take to ensure they’re not caught unknowingly making themselves more vulnerable.